On Wed, 17 Jun 2015, Andrew Couzens wrote:
David,
When using just %timestamp% the TS is reduced to reporting like:
Jun 17 11:26:22 testhost test: TEST
Here is the config
$template FileFormatFromhost,"%timestamp% %HOSTNAME%
%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
$template ForwardFormatFromhost,"<%PRI%>%timestamp% %HOSTNAME%
%syslogtag%%msg:::sp-if-no-1st-sp%%msg%"
$ActionFileDefaultTemplate FileFormatFromhost
$ActionForwardDefaultTemplate ForwardFormatFromhost
It would appear as though rsyslog is not able to parse the date header and is replacing it with
%timegenerated% as per the documentation: "timereported" is what the sending device reports as
time. This is taken from the appropriate syslog header field. If and only if the syslog date header cannot
properly be parsed, "timereported" is populated with the same value as "timegenerated".
log with the format RSYSLOG_DebugFormat and you will see exactly what is in each
variable.
David Lang
Andrew
what if you just do %timestamp%?
also, the fact that it's reporting mroe precision than what you are receiving
makes me doubt that you are actually using the templates in your output. can you
show us your config?
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
